undefined | Better HN

0 pointsrom1v1y ago0 comments

Btw, this is not the only project providing a source tarball different from the git repo, for example libusb also does this (and probably others):

- https://github.com/libusb/libusb/issues/1468#issuecomment-19...

- https://github.com/orgs/community/discussions/6003

0 comments

cryptonector1y ago

It's very common in autoconf codebases because the idea is that you untar and then run `./configure ...` rather than `autoreconf -fi && ./configure ...`. But to do that either you have to commit `./configure` or you have to make a separate tarball (typically with `make dist`). I know because two projects I co-maintain do this.

bhaak1y ago

It's common but it's plain wrong. A "release" should allow to build the project without installing dependencies that are only there for compilation.

Autotools are not guaranteed to be installed on any system. For example they aren't on the OSX runners of GitHub Action.

It's also an issue with UX. autoreconf fails are pretty common. If you don't make it easy for your users to actually use your project, you lose out on some.

GrayShade1y ago

> A "release" should allow to build the project without installing dependencies that are only there for compilation.

Like a compiler or some -devel packages?

1 more reply

cryptonector1y ago

> [...] A "release" should allow to build the project without installing dependencies that are only there for compilation.

Built artifacts shouldn't require build-time dependencies to be installed, yes, but we're talking about source distributions. Including `./configure` is just a way of reducing the configuration-/build-time dependencies for the user.

> Autotools are not guaranteed to be installed on any system. [...]

Which is why this is common practice.

> It's common but it's plain wrong.

Strong word. I'm not sure it's "plain wrong". We could just require that users have autoconf installed in order to build from sources, or we could commit `./configure` whenever we make a release, or we could continue this approach. (For some royal we.)

But stopping this practice won't prevent backdoors. I think a lot of people in this thread are focusing on this as if it was the source of all evils, but it's really not.

Too1y ago

Whats the problem of running “autoreconf -fi” though?

Very strange argument. It’s like saying our source release only contains a prebuilt binary, otherwise the user has to run “make”.

If that’s such a big hassle for your downstream consumers, maybe one should use something better than autoconf in the first place.

meinersbur1y ago

Autotools are not backwards-compatible. Often only a specific version of autotools works. Only the generated configure is supposed to be portable.

It's also not the distribution model for an Autotools project. Project distributions would include a handwritten configure file that users would run: The usual `./configure && make && make install`. Since those configure scripts became more and more complex for supporting diverse combinations of compiler and OS, the idea of autotools was for maintainers to generate it. It was not meant to be executed by the user: https://en.wikipedia.org/wiki/GNU_Autotools#Usage

bhaak1y ago

For running autoreconf you need to have autotools installed and even then it can fail.

I have autotools installed and despite that autoreconf fails for me on the xz git repository.

The idea of having configure as a convoluted shell script is that it runs everywhere without any additional. If it isn't committed to the repository you're burdening your consumers with having compilation dependencies installed that are not needed for running your software.

1 more reply

j / k navigate · click thread line to collapse

0 comments

cryptonector1y ago

bhaak1y ago

It's common but it's plain wrong. A "release" should allow to build the project without installing dependencies that are only there for compilation.

Autotools are not guaranteed to be installed on any system. For example they aren't on the OSX runners of GitHub Action.

It's also an issue with UX. autoreconf fails are pretty common. If you don't make it easy for your users to actually use your project, you lose out on some.

GrayShade1y ago

> A "release" should allow to build the project without installing dependencies that are only there for compilation.

Like a compiler or some -devel packages?

1 more reply

cryptonector1y ago

> [...] A "release" should allow to build the project without installing dependencies that are only there for compilation.

> Autotools are not guaranteed to be installed on any system. [...]

Which is why this is common practice.

> It's common but it's plain wrong.

But stopping this practice won't prevent backdoors. I think a lot of people in this thread are focusing on this as if it was the source of all evils, but it's really not.

Too1y ago

Whats the problem of running “autoreconf -fi” though?

Very strange argument. It’s like saying our source release only contains a prebuilt binary, otherwise the user has to run “make”.

If that’s such a big hassle for your downstream consumers, maybe one should use something better than autoconf in the first place.

meinersbur1y ago

Autotools are not backwards-compatible. Often only a specific version of autotools works. Only the generated configure is supposed to be portable.

bhaak1y ago

For running autoreconf you need to have autotools installed and even then it can fail.

I have autotools installed and despite that autoreconf fails for me on the xz git repository.

1 more reply

j / k navigate · click thread line to collapse